vSphere 5.1 Single Sign On – part 1

One of the new features in vSphere 5.1 is Single Sign On. What vCenter Single Sign On is ?

 vCenter Single Sign On (SSO) is a component of the VMware Cloud Suite. SSO deals with identity management for administrators and applications that interact with the vSphere platform. SSO is based on identity management technology built by RSA and specifically tailored for VMware Cloud Infrastructure deployment.

Other words saying, you need to install at least one instance of SSO for your vSphere deployment in order to have possibility to authenticate for each and every piece of your virtual infrastructure, which is supported by vCenter SSO, as well as is mandatory service for vCenter server.

What services rely on SSO (see below figure) ?

• vCenter server
• vSphere WEB client
• vCenter server inventory services

The vCenter server  is key here – you MUST have SSO up and running because vCenter server service relay on. Looks like Single Point Of Failure (SPOF) – Thanks VMware for making our life more complicated 😛 . If, for some reasons, SSO service stop work, vCenter server will continue working but you will not be able authenticate to vCenter server neither using vSphere client nor vSphere Web client.

Fortunately, there are several ways to eliminate SPOF from design.

#1 – VMware Single Sign On in cluster mode

You can set up SSO in clustered mode, two or more SSO instances can run in Active\Slave mode and share the single SSO database. One  SSO instance is defined as Primary, the remainders as a slaves. Third party (Apache) loadbalancer providing redundancy and High Availability. Single SSO HA cluster can provides service for multiple vCenter server in different geographical locations.

SSO in cluster mode

 #2 VMware Single Sign-On multisite deployment

However, for deployment with multiple vCenter servers placed in different physical location multisite deployment is recommended. Heaving SSO instance at each location allow fast authentication for local users and it DOESN’T provide automatic fail-over and High Availability.  Single Sign On instance is connect to local directory services and can be deployed as a single Sign-On in standard or clustered mode.

VMware vSphere SSO multisite deployment

#3 vCenter Single Sign-On protected by vSphere replication.

The cheapest and quickest way of protecting your Single Sign On instance (if runs on separate server) or whole VMware vSphere vCenter server is vSphere replication. Build feature in vSphere 5.1 suite, easy to set up, reliable and easy to recover service. Within next few days I will write an article how to set up replication and how to recover vCenter server or SSO server from disaster.

vSphere 5.1 replication of vCenter SSO

#4 vCenter server Heartbeat

Using vCenter server you can protect vCenter server and its components and VMware Single Sign-On is on the list. vCenter server heartbeat greatly simplify protection of Single Sign-on as well as other components of vCenter server including data (

Good article on Michael site about vCenter server deployment considerations will give you more deep in detail info about product.

#5 Cloning (applicable only for VM)

As simple as it is, using PowerCLI you can schedule a clone (backup) of virtual machine where SSO run, it can run on separate VM as well as on the same VM where vCenter server run. Script created by Simon Long (http://www.simonlong.co.uk/blog/)

# Import Backup CSV
$backupinfo = Import-Csv C:\scripts\mybackups.csv

#Set Date format for clone names
$date = Get-Date -Format "yyyyMMdd"

#Set Date format for emails
$time = (Get-Date -f "HH:MM")

#Connect to vCenter
Connect-VIServer ""

foreach ($customer in $backupinfo)
{
$vm = Get-VM $customer.MasterVM

#Send Start Email
C:\scripts\backupstartedemail.ps1

# Create new snapshot for clone
$cloneSnap = $vm | New-Snapshot -Name "Clone Snapshot"

# Get managed object view
$vmView = $vm | Get-View

# Get folder managed object reference
$cloneFolder = $vmView.parent

# Build clone specification
$cloneSpec = new-object Vmware.Vim.VirtualMachineCloneSpec
$cloneSpec.Snapshot = $vmView.Snapshot.CurrentSnapshot

# Make linked disk specification
$cloneSpec.Location = new-object Vmware.Vim.VirtualMachineRelocateSpec
$cloneSpec.Location.Datastore = (Get-Datastore -Name $customer.BackupDS | Get-View).MoRef
$cloneSpec.Location.Transform = [Vmware.Vim.VirtualMachineRelocateTransformation]::sparse

$cloneName = "$vm-$date"

# Create clone
$vmView.CloneVM( $cloneFolder, $cloneName, $cloneSpec )

# Write newly created VM to stdout as confirmation
Get-VM $cloneName

# Remove Snapshot created for clone
Get-Snapshot -VM (Get-VM -Name $customer.MasterVM) -Name $cloneSnap | Remove-Snapshot -confirm:$False

#Send Complete Email
C:\scripts\backupcompletedemail.ps1
}
#Disconnect from vCentre
Disconnect-VIServer -Confirm:$false

If you want to get an email notifications visit Simon’s blog and get the rest of the script

[learn_more caption=”resources” state=”open”]

• VMware KB: vCenter Single Sign On FAQ
• vCenter server Heartbeat – overview
• Single Sign On resources

[/learn_more]

[button link=”http://www.vmwaremine.com/2012/11/26/vsphere-5-1-single-sign-on-part-2/”] vSphere 5.1 Single Sign On – part 2[/button]